b'        OIG\n        OFFICE OF INSPECTOR GENERAL\n\n\n                                   Catalyst for Improving the Environment\n\n\n\nAudit Report\n\n\n\n\n         Improvements Are Needed for\n         Information Technology Controls\n         at the Las Vegas Finance Center\n\n\n         Report No. 2003-P-00011\n\n\n         May 29, 2003\n\x0cReport Contributors:                            Edward Densmore\n                                                Wen Song\n                                                Corey Costango\n                                                Cheryl Reid\n\n\n\n\n Abbreviations\n\n\n ARTS             Asbestos Receivable Tracking System\n\n EPA              U.S. Environmental Protection Agency\n\n LAN              Local Area Network\n LVFC             Las Vegas Finance Center\n\n NIST             National Institute of Standards and Technology\n\n OIG              Office of Inspector General\n\x0c\x0cPurpose\n\nThe objective of this audit was to determine whether general information technology controls at the Las\nVegas Finance Center (LVFC) are adequate to safeguard the integrity of Agency resources and ensure\ncontinuity of critical EPA operations.\n\nBackground\nThe LVFC, in Las Vegas, Nevada, is a field branch of the Financial Services Division of EPA\xe2\x80\x99s Office\nof the Chief Financial Officer. LVFC provides a full range of accounting and financial services to EPA\nco-located activities, such as the Team Vegas Human Resources Office, National Exposure Research\nLas Vegas Laboratory, and the Radiation and Indoor Environments National Laboratory; remote\nactivities, such as labs in Oklahoma, Oregon, and Colorado; and Criminal Investigations Division\noffices in Boston, San Francisco, Philadelphia, Chicago, and New York. These services include\nprocessing procurement orders, Government bills of lading, and travel-related documents. The LVFC\nis also responsible for grant payments and financial closeout for all assistance agreements in both EPA\nHeadquarters and Region 7.\n\nThe LVFC Local Area Network (LAN) provides network support for the staff at LVFC and the\nOffice of Solid Waste and Emergency Response, and hosts the Las Vegas National Value-Added\nBackbone Service accessible to all other EPA field office organizations in the Las Vegas area (i.e.,\nHuman Resources, Office of Radiation and Indoor Air, and the Office of Research and Development).\nThe LVFC LAN consists of 3 Novell servers running Novell NetWare 5.0, 32 client workstations\noperating on a mix of DOS and Windows 95/98/2000/XP operating systems, 7 networked workgroup\nprinters, and a tape drive for performing backups.\n\nThe LVFC is also responsible for Asbestos Grant and Loan Program post-award loan activity. Related\nto this program, the Asbestos Receivable Tracking System (ARTS) microcomputer database\napplication was developed to record and track repayments as well as manage EPA\xe2\x80\x99s asbestos loans\nand provide for reporting direct loans under the Credit Reform Act of 1990. The software contains\nsubsidiary ledger detail data that feeds into EPA\xe2\x80\x99s Integrated Financial Management System accounts\nreceivable general ledger balances. ARTS tracks the disbursement of loans and collection of payments,\nand also issues bills and reminder notices to loan recipients. In addition, ARTS provides detailed data\nfor internal and external reports regarding asbestos loans for the Office of Management and Budget,\nTreasury, and Congress.\n\nScope and Methodology\n\nThe primary focus of this audit was security controls over the LVFC LAN and ARTS. Specifically, we\nreviewed security program planning and management, access controls, segregation of duties, and\nservice continuity practices. We conducted our audit field work from December 2002 to\nFebruary 2003, at LVFC and at EPA Headquarters in Washington, DC.\n                                                   1\n\x0cTo accomplish the audit objective, we used a variety of Federal and Agency regulatory documents,\nincluding:\n\n        \xe2\x80\xa2   Office of Management and Budget Circular A-130, Appendix III, Security of Federal\n            Automated Information Resources.\n        \xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication 800-12, An\n            Introduction to Computer Security.\n        \xe2\x80\xa2   EPA Directive 2195A1, Information Security Manual.\n        \xe2\x80\xa2   EPA Directive 2195.1 A4, Agency Network Security Policy.\n\nWe conducted the audit in accordance with Government Auditing Standards issued by the\nComptroller General of the United States. We reviewed the LVFC LAN and ARTS security plans,\nand the Continuity of Operations Plan. We interviewed personnel at LVFC and at EPA headquarters.\nIn addition, we performed tests on the logical security controls and observed physical security controls\nat the LVFC.\n\nPrior Audit Coverage\n\nA prior EPA OIG report entitled Fiscal 1994 Financial Statement Audit of EPA\xe2\x80\x99s Trust Funds,\nRevolving Funds and Commercial Activity, No. E1SFL4-20-8001-5100192, dated February 28,\n1995, identified several control weaknesses related to ARTS at LVFC. Specifically, the report noted\nARTS lacked: (1) adequate security over computer programs and loan data, (2) a virus protection\nprogram, (3) standardized backup and recovery procedures, (4) an Integrated Financial Management\nSystem interface, and (5) a problem/change control log. Recommendations included: developing\nwritten policies and procedures describing ARTS backup, recovery, and contingency plans; maintaining\nARTS data and program backups in a secure off-site location; and implementing an electronic interface\nbetween ARTS and the Integrated Financial Management System. In responding to the draft report,\nthe Chief Financial Officer agreed to take corrective action on all of the recommendations.\n\nResults of Review\n\nImprovements are needed to general information technology controls at LVFC to effectively ensure\ncontinuation of services. Backup media (i.e., on- and off-site storage) were not properly secured,\nsystem documentation was not being stored off-site, and network connection boxes were unlocked.\nAs a result, should a disruption of service occur, LVFC\xe2\x80\x99s ability to start up operations in a timely\nmanner could be impeded. The weaknesses relating to off-site backup media and system\ndocumentation occurred because management had not developed a comprehensive continuity of\nsupport plan for the LVFC LAN. In addition, management did not perform a complete risk assessment\nfor the LVFC LAN that may have identified the weaknesses relating to on-site backup media and the\nnetwork connection boxes. A continuity of support plan establishes the necessary procedures for\nmanaging and continuing operations following disasters or interruptions of service, while a risk\nassessment assists management in identifying threats and vulnerabilities. To improve continuity of\n                                                    2\n\x0coperations capabilities, management also needs to follow generally accepted practices for securing\nbackup media and storing systems documentation. Details on conditions noted follow.\n\n       Unsecured Backup Media\n\n       LAN. LVFC did not properly secure the on- and off-site storage of its LAN backup tapes.\n       Incremental backups of the LAN are performed daily and a full backup every Friday.\n       Although the on-site LAN backup tapes were stored in the LVFC computer room, the current\n       weekly backup tapes were located in an unlocked tape drive and thus were not adequately\n       secured. In addition, another set of backup tapes was stored on open racks within the\n       computer room. Although LVFC officials did not think further controls were needed because\n       the computer room utilizes a card reader system for access, anyone entering the computer\n       room could compromise the on-site backup tapes. For example, a number of contractors\n       outside of the finance group have access to the computer room. These contractors need access\n       to shared telecommunications equipment installed in the room, but they do not need access to\n       the backup tapes. Regarding off-site storage, the LAN backup tapes are removed to an off-\n       site storage location every other Friday. However, the off-site storage location for these tapes\n       was an EPA employee\xe2\x80\x99s personal residence. Management cannot ensure the physical security\n       of backup tapes at a personal residence, and may not be able to retrieve such backup tapes\n       during an emergency situation if the employee is on travel or otherwise not available.\n\n       ARTS. Backup tapes for ARTS also were not properly secured on- and off-site. ARTS is\n       backed up weekly, and the backup tapes are stored on-site in an unlocked cabinet located in\n       shared LVFC office space accessible to all personnel in that space. Only authorized personnel\n       (e.g., the system administrator and employee responsible for performing backups) should have\n       access to the backup media. In addition, although the tapes are also sent monthly to the\n       Financial Systems Branch at EPA Headquarters, the Branch leaves the tapes unsecured on top\n       of a file cabinet inside shared office space. Furthermore, since ARTS files are backed up to the\n       LVFC LAN, they are exposed to the weaknesses previously discussed for the LAN backup\n       tapes.\n\n       ARTS System Documentation Not Stored Off-Site\n\n       Management did not store ARTS system documentation off-site. A copy of the documentation\n       stored on-site includes procedures to back up, restore, and recover the application. If LVFC\n       operations are disrupted and on-site system documentation cannot be obtained, the ARTS\n       application manager stated she would be able to restore ARTS without the documentation.\n       Nonetheless, she agreed maintaining another copy of system documentation off-site would be\n       helpful, since she did not think anyone else would be able to restore ARTS application without\n       the system documentation. Industry best practices dictate that off-site storage of\n       documentation should be established to support recovery and business continuity plans.\n\n\n\n\n                                                   3\n\x0c        Unlocked Network Connection Boxes\n\n        The network connection boxes between the LVFC LAN and the building housing the Office of\n        Solid Waste and Emergency Response\xe2\x80\x99s connectivity to the LVFC LAN were not locked.\n        That office uses the LVFC server to connect to the EPA network. The unlocked network\n        connection boxes were located on the exterior of the two buildings and were opened by\n        releasing two latches, exposing the fiber optic cables. According to NIST Special Publication\n        800-12, physical access controls should address not only the area containing system hardware\n        but locations of wiring used to connect elements of the system and data lines. Within a few\n        hours of the unlocked network connection boxes being brought to the attention of the LVFC\n        management, padlocks were placed on the boxes.\n\nAs a result of the conditions noted, LVFC\xe2\x80\x99s ability to start up operations in a timely manner may be\nimpeded, should a disruption of service occur. Consequently, LVFC may not be able to effectively\ncontinue its operations or have the most current data available, if a disaster occurs. Specifically,\nmanagement may not be able to timely obtain the backup tapes and system documentation needed to\nrestart necessary financial management services for its customers.\n\nThe weaknesses relating to off-site backup media and system documentation occurred because\nmanagement had not developed a comprehensive continuity of support plan for the LVFC LAN. In\naddition, management did not perform a complete risk assessment for the LVFC LAN that may have\nidentified the weaknesses relating to on-site backup media and the network connection boxes.\nManagement needs to expand the LVFC continuity of operations plan to ensure LAN operations can\ncontinue smoothly. The current plan assigns responsibilities for plan activation and identifies some\nessential functions, positions, and equipment needed for relocating to an alternate site. However, it\ndoes not provide detailed procedures for continuing LAN operations, such as business priorities and\ntiming for restoration and recovery. EPA Directive 2195A1 includes steps to develop continuity of\nsupport plans. These steps include (1) defining and describing what needs to be done for shutting down\nthe hardware during and immediately after an emergency; (2) identifying business priorities, the order of\nimportance, and timing for restoration and recovery of system processing capabilities; and (3)\ndetermining how hardware supplies and other needed items will be obtained.\n\nOffice of Management and Budget Circular A-130, Appendix III, requires Federal agencies to\nconsider risk when deciding what security controls to implement. It states a risk-based approach is\nrequired to determine adequate security, and encourages agencies to consider major risk factors, such\nas threats, vulnerabilities, and the effectiveness of current or proposed safeguards. Also, EPA Directive\n2195.1 A4 states risk assessments must be conducted and updated for general support systems (which\ninclude LANs) and/or major applications at least every 3 years, or when a substantive configuration\nchange occurs.\n\nLVFC management currently relies on \xe2\x80\x9cBindView,\xe2\x80\x9d a system management product, to perform risk\nassessments for its LAN. BindView can be used to monitor and report on password activity, intruder\n\n\n                                                    4\n\x0cdetection, and the presence of unauthorized files in the login directory. Although BindView is a very\nuseful management tool, it does not address the whole LAN environment and does not satisfy risk\nassessment requirements. LVFC managers also utilized the agency\xe2\x80\x99s self-assessment tool to gather\ndata on the LAN in support of NIST Special Publication 800-26, Security Self-Assessment Guide for\nInformation Technology Systems. Self assessments provide a method for managers to determine the\ncurrent status of their information security programs. This NIST Special Publication states a risk\nassessment should be conducted in conjunction with or prior to the self-assessment. It further states a\nself-assessment does not eliminate the need for a risk assessment. According to NIST Special\nPublication 800-12, a risk assessment includes collecting and analyzing data (e.g., asset valuation,\nconsequence analysis, threat identification, safeguard analysis, and vulnerability analysis). If\nmanagement had performed a risk assessment that included threat identification, it may have identified\nthe weaknesses relating to unsecured backup media and the unlocked network connection boxes.\n\nTo improve continuity of operations capabilities, management also needs to follow generally accepted\npractices for securing backup media and storing systems documentation. As noted, LVFC did not\nhave adequate LAN and ARTS backup procedures. Generally accepted practices dictate that\nmanagement design media controls to prevent the loss of confidentiality, integrity, or availability of\ninformation when stored outside the system. EPA\xe2\x80\x99s LAN Operating Procedures also endorse such\npractices.\n\nRecommendations\n\nWe recommend that the Branch Chief, LVFC:\n\n1.    Conduct a complete risk assessment for the LVFC LAN.\n\n2.    Develop, implement, and test a comprehensive continuity of support plan for the LVFC LAN.\n\n3.    Update and implement the LAN and ARTS backup procedures to include an adequate off-site\n      storage location and adequate physical controls for both on- and off-site backup media and\n      system documentation and update LAN and ARTS security plans accordingly.\n\nAgency Response and OIG Evaluation\n\nIn responding to the draft report, the LVFC Branch Chief concurred with our recommendations (see\nAppendix A). In the response, some language changes were suggested and, in most cases, we\nmodified the report language accordingly.\n\nThe response indicated LVFC officials are working with their Information Security Officer to identify an\nindividual and/or organization who will conduct a complete risk assessment during fiscal 2004. They\nhave also agreed to develop, implement, and test a comprehensive continuity of support plan for the\nLVFC LAN. Furthermore, LVFC management has installed a locked, fireproof cabinet in the LVFC\n\n\n                                                   5\n\x0ccomputer room for on-site storage of the LAN and ARTS backups. A second locked, fireproof\ncabinet has been installed in a secured room off-site, in order to provide storage for the LAN and\nARTS backups, as well as for copies of the ARTS system documentation. The door to the backup\ntape drive is also now under lock and key.\n\nIn our view, the corrective actions described in response to Recommendations 1 and 2 are appropriate\nand should, when fully implemented, adequately address the recommendations. However, LVFC\nmanagement did not fully address Recommendation 3 by indicating concurrence or non-concurrence\nwith updating the LAN and ARTS security plans. If the LAN and ARTS security plans are\nsubsequently updated to reflect the corrective action described in LVFC\xe2\x80\x99s response for\nRecommendation 3, this recommendation will also be adequately addressed.\n\n\n\n\n                                                  6\n\x0c                                    Appendix A\n\nAgency\xe2\x80\x99s Response to Draft Report\n\n\n\n\n                7\n\x0c8\n\x0c                                                                                     Appendix B\n\n                                 Report Distribution\n\n\nComptroller (2731 A)\nDeputy Chief Financial Officer (2710A)\nDirector, Financial Services Division, Office of Chief Financial Officer (2734R)\nDirector, Financial Management Division, Office of Chief Financial Officer (2733R)\nAudit Liaison, Office of Chief Financial Officer (2710A)\nInspector General (2410)\n\n\n\n\n                                                  9\n\x0c'